Lessons Learned from Generating 100M SBOMs - Google's Approach to SBOM Compliance

Explore Google's journey in generating 100 million Software Bills of Materials (SBOMs) in response to the US White House Executive Order 14028. Discover the challenges faced, solutions implemented, and lessons learned as Google tackled the massive task of cataloging all their software. Gain insights into the organizational and engineering principles employed, including the involvement of various teams, the role of builders in SBOM generation, and the concept of attested SBOMs. Learn about the implementation of "less is more" approach and the utilization of Linux Foundation and Cloud Native Computing Foundation technologies such as SPDX, SLSA, and Intoto. Understand how Google navigated through questions regarding product selection, format choices, tooling decisions, responsibilities, storage solutions, and legal and privacy considerations to achieve SBOM compliance within a six-month timeframe.

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance